Add os.type to Auditbeat system/host dataset

elastic · Feb 2, 2021 · dc549df · dc549df
1 parent fa42ee7
commit dc549df
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 1 deletion.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -619,6 +619,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add ECS categorization info for auditd module {pull}18596[18596]
 - Add several improvements for auditd module for improved ECS field mapping {pull}22647[22647]
 - Add ECS 1.7 `configuration` categorization in certain events in auditd module. {pull}23000[23000]
+- system/host: Add new ECS 1.8 field `os.type` in `host.os.type`. {pull}23513[23513]
 
 *Filebeat*
 

diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc
@@ -12336,6 +12336,16 @@ type: keyword
 The operating system's kernel version.
 
 
+type: keyword
+
+--
+
+*`system.audit.host.os.type`*::
++
+--
+OS type (see ECS os.type).
+
+
 type: keyword
 
 --

diff --git a/x-pack/auditbeat/module/system/fields.go b/x-pack/auditbeat/module/system/fields.go
diff --git a/x-pack/auditbeat/module/system/host/_meta/data.json b/x-pack/auditbeat/module/system/host/_meta/data.json
@@ -47,6 +47,7 @@
                 },
                 "timezone.name": "UTC",
                 "timezone.offset.sec": 0,
+                "type": "linux",
                 "uptime": 18661357350265
             }
         }

diff --git a/x-pack/auditbeat/module/system/host/_meta/fields.yml b/x-pack/auditbeat/module/system/host/_meta/fields.yml
@@ -77,3 +77,7 @@
       type: keyword
       description: >
         The operating system's kernel version.
+    - name: type
+      type: keyword
+      description: >
+        OS type (see ECS os.type).
diff --git a/x-pack/auditbeat/module/system/host/host.go b/x-pack/auditbeat/module/system/host/host.go
@@ -144,6 +144,10 @@ func (host *Host) toMapStr() common.MapStr {
 		mapstr.Put("os.codename", host.Info.OS.Codename)
 	}
 
+	if host.Info.OS.Type != "" {
+		mapstr.Put("os.type", host.Info.OS.Type)
+	}
+
 	var ipStrings []string
 	for _, ip := range host.Ips {
 		ipStrings = append(ipStrings, ip.String())
@@ -362,6 +366,7 @@ func hostEvent(host *Host, eventType string, action eventAction) mb.Event {
 	hostFields.CopyFieldsTo(hostTopLevel, "os.kernel")
 	hostFields.CopyFieldsTo(hostTopLevel, "os.name")
 	hostFields.CopyFieldsTo(hostTopLevel, "os.platform")
+	hostFields.CopyFieldsTo(hostTopLevel, "os.type")
 	hostFields.CopyFieldsTo(hostTopLevel, "os.version")
 
 	event.RootFields.Put("host", hostTopLevel)